Luna Network HSM Appliance Software 7.0.0

Luna Network HSM 7.0.0 was released in June 2017 and came pre-installed on Luna Network HSMs until August 2018.

New Features and Enhancements

Luna Network HSM 7.0.0 includes the following new features and enhancements:

New Luna Network HSM Appliance

The Luna Network HSM 7 has a new chassis and offers enhanced installation, maintenance, security, and usability features, including the following:

>Optional sliding mounting rails provide simplified installation and improved access for performing maintenance tasks and accessing the network ports.

>A locking faceplate bezel restricts access to the front of the appliance for enhanced security.

>A new LCD display provides a quick view of the appliance network configuration and overall health.

>Four 1GB Ethernet interface ports with port bonding (eth0 and eth1 to bond0 and/or eth2 and eth3 to bond1), for redundancy and enhanced reliability.

See Appliance Hardware Functions.

Partition Security Officer

All application partitions now have a Partition Security Officer (PO) role that is completely distinct from the HSM Security Officer (HSM SO) role. In this security model, the HSM SO is responsible only for initializing the HSM, setting HSM-level security policies, and creating and deleting partitions. After creating the partitions, the HSM SO has no access to the contents of the partitions. Partitions are owned by the PO, who is responsible for initializing the partition, setting the partition-level security policies and initializing the cryptographic roles on the partition. This model permits a complete separation of roles on the HSM, providing a highly secure multi-tenant solution.

See Partition Roles.

Best-in-Class Performance

Luna Network HSM 7 provides cryptographic performance that is 10x faster than the release 5.x and 6.x Luna HSMs.

Industry-Leading Security

Luna Network HSM 7 provides enhanced environmental failure protection and tamper resistance.

Improved Random Number Generation

The performance of Luna Network HSM 7's AES-256 CTR DRBG random number generation is significantly increased from previous versions. The RNG is fully compliant with the latest entropy standards:

>SP800-90B

>SP800-90C

>BSI DRG.4

New Cryptographic Mechanism Support

Luna Network HSM 7 adds support for the following cryptographic algorithms:

>SP800-108 HMAC (RSA & ECC)

>SP800-38F (KWP)

>Curve 25519

>AES-XTS - disk encryption standard

Increased Key Storage Capacity

Luna Network HSM 7 provides up to 32 MB of cryptographic object storage (depending on the model).

Secure Transport Mode Redesigned

Secure Transport Mode (STM) in Luna Network HSM 7 provides a simple, secure method for shipping an HSM to a new location and verifying its integrity upon receipt. When the HSM SO enables STM, it locks the HSM and its contents, and records the current configuration as a pair of unique strings. When the HSM is recovered from STM, the unique strings are redisplayed. If the strings match, the HSM has not been tampered or modified during transport.

See Secure Transport Mode.

REST API

The Luna Network HSM REST API web application allows you to use a set of scriptable REST APIs to perform some LunaSH functions.

See REST API Reference.

IPv6

The Luna Network HSM7 now supports IPv6, using static addressing, SLAAC, or DHCP.

See IPv6 Support and Limitations.

Improved Serial Access

Serial access to the Luna Network HSM is via an RJ45 serial port. A custom Prolific Technologies USB to RJ45 cable with a standard 8P8C modular connector is included. The cable requires the PL2303 driver, which you can download from http://www.prolific.com.tw or the Thales Customer Portal.

See Opening a Serial Connection.

Enable Decommission on Tamper

A new capability, Enable Decommission on Tamper, allows you to set HSM policy 40 to decommission the HSM in the event of a tamper.

See HSM Capabilities and Policies.

Controlled Tamper Recovery

If Policy 48: Do Controlled Tamper Recovery is enabled (the default), the HSM SO must clear the tamper condition before the HSM is reset, to return the HSM to normal operation.

See Tamper Events.

Release 7.0.0 Advisory Notes

This section highlights important issues you should be aware of before deploying appliance software 7.0.0.

HSM Logs Sent to Messages Log

The hsm.log file is deprecated and has been removed from this release. The HSM logs are now sent to the messages log.

NOTE   Although it is ignored, the hsm option appears in the syntax for some syslog commands (such as syslog tail -logfiles).

Deprecated and Discontinued Features

The following features are deprecated or discontinued in Luna 7. If you have been using any of these Luna 5/6 features, plan for a new configuration and workflow that does not make use of the feature:

>Host trust links (HTL)

>NTLS keys in hardware

>PKI bundle

>Small form factor (SFF) backup

>Watchdog, CPU Governor